The *theoretical* system security improvement of SELinux is trumped by the *practical* observation that I have had existing systems broken by SELinux multiple times on the mere handful of systems I have run it on in enforcing mode, but have yet to see a single one of several dozen (all internet exposed) up-to-date *non*-SELinux systems hacked.
It is a 'safety' feature that is in practice more dangerous to system stability than what it is trying to fix. It is like having air bags in your car that go off at random times while you are driving: It is NOT acceptable behavior.
Under CentOS 5.5, and I presume RHEL5.5 too, there is a small improvement in the shape of setroubleshoot-server, it at least gives you improved troubleshooting capabilities.
Not that it helps when you upgrade a 5.4 machine to 5.5 and you get no selinux logging whatsoever because setroubleshoot-server wasn't installed during the upgrade. Note to self, need to add it to the minimal-kickstart configurations.
--------------------------------------------------------------- This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message. ---------------------------------------------------------------